Configure Log Sources for Amazon Web Services (AWS)

Alert Logic supports the following log source types for AWS deployments:

  • AWS CloudTrail logs—Log messages generated by the AWS CloudTrail service that record AWS API activity in your account
  • AWS S3 logs—Log records that provide details about a single access request, such as the requester, bucket name, request time, request action, response status, and any error codes

For more information about other log source types, see Configure Log Sources for All Deployments or Configure Log Sources for Microsoft Azure.

After you provision and install the Alert Logic agent on your target host, the agent automatically creates an associated log source in the Alert Logic console and configures it with the default collection configuration policy for that log source type. You must create and configure new collection sources with existing collection policies to meet more specific requirements. For more information about Log Management policies, see Log Management Policies.

Create and maintain AWS CloudTrail log sources

You must create an AWS CloudTrail log source in the Alert Logic console to collect CloudTrail logs. This AWS CloudTrail is in addition to the one configured for discovery of your AWS assets. To complete this action, you need the following AWS account information:

  • SQS queue to which CloudTrail publishes events.
  • IAM role credentials:
    • To use an existing IAM role, select Use an existing IAM Role during AWS CloudTrail collection source creation, and then select the IAM role to use.
    • To create a new IAM role, first download and open one of the following policy documents, and then create an IAM role (see Configure IAM Role for Amazon Web Services (AWS) and use the appropriate policy below for your configuration):
      • Use the default policy, recommended policy document (.txt), for CloudTrail log collection. Keep the document open so you can copy and paste the information during IAM role creation.
      • If you have AWS Key Management Service (KMS) configured for the AWS account in which you are configuring this CloudTrail collection source, use this policy document. Keep the document open so you can copy and paste the information during IAM role creation.
    If you decide to configure AWS KMS in the future, you must update the IAM role you created here to use the correct policy for AWS KMS.

To create a AWS CloudTrail source:

  1. From the Deployments page, click CONFIGURE LOG SOURCES.
  2. Click the add icon ().
  3. From Source Log Type, select AWS CloudTrail.
  4. In Source Name, type a descriptive name.
  5. Select Enable Collection.
  6. In Collection Alerts, click the field and select one or more alert options.
  7. In the SQS Queue Name field, type the name of the SQS queue you created to collect CloudTrail logs.
  8. From AWS Region, specify the region in which you created the SQS queue in the previous steps.
  9. Select either Create a new IAM Role, or Use an existing IAM Role.
  10. In the slideout panel, complete the following fields.
    • In Credential Name, enter a descriptive name.
    • In Role ID, enter the IAM Role you created.
    • In External ID, enter your Alert Logic customer ID.
  11. Click SAVE.

To update an AWS CloudTrail source:

  1. From the Deployments page, click the deployment for which you want to update the log source.
  2. Click CONFIGURE LOG SOURCES.
  3. Place your cursor over the desired collection source and click the pencil icon ().
  4. Make the necessary updates.
  5. Click SAVE.

Create and maintain AWS S3 log sources

You must create an AWS S3 log source in the Alert Logic console to collect AWS S3 logs. To complete this action, you need the following AWS account information:

  • SQS queue to which CloudTrail publishes events.
  • IAM role credentials:
    • To use an existing IAM role, select Use an existing IAM Role during AWS S3 log source creation, and then select the IAM role to use.
    • To create a new IAM role, first download and open one of the following policy documents, and then create an IAM role (see IAM Role Creation and use the appropriate policy below for your configuration):
    If you decide to configure AWS KMS in the future, you must update the IAM role you created here to use the correct policy for AWS KMS.

To create an AWS S3 source:

  1. From the Deployments page, click the deployment for which you want to create an S3 collection source.
  2. Click CONFIGURE LOG SOURCES.
  3. Click the add icon ().
  4. From Source Log Type, select S3.
  5. In Source Name, type a descriptive name.
  6. Select Enable Collection.
  7. In Bucket, type the bucket name, followed by the directory name. This bucket name must use a DNS-compliant name. For more information, visit the AWS documentation site.
  8. s3bucketname/root_folder

  9. In File Name or Pattern, type the file name or date pattern of the file log.
  10. In Collection Policy:
    • To use an existing policy, select Use an existing Policy, and then select a policy.
    • To create a new policy, select Create New Policy and select the settings you want. For more information, see .
  11. In Collection Alerts, click the field and select one or more alert options.
  12. From Time Zone, select a time zone.
  13. In the Alert Logic console, complete the following fields:
    • In Credential Name, enter a descriptive name.
    • In Role ID, enter the Role ARN you created.
    • In External ID, enter the external ID.
  14. In Collection Interval, type a value in minutes to indicate how often Log Manager retrieves S3 logs.
  15. In the Tags field, type an easily filtered tag.
  16. Click SAVE.

To update an AWS S3 source:

  1. From the Deployments page, click the deployment for which you want to update the log source.
  2. Click CONFIGURE LOG SOURCES.
  3. Place your cursor over the desired collection source and click the pencil icon ().
  4. Make the necessary updates.
  5. Click SAVE.

Additional Tasks

To learn how to perform additional tasks, such as viewing source information, mass editing sources, archiving and restoring collection sources, see View log source information.